TW200949602A - Microprocessor apparatus and method for persistent enablement of a secure execution mode - Google Patents

Abstract

An apparatus providing for a secure execution environment including a microprocessor and a secure non-volatile memory. The microprocessor executes non-secure application programs and a secure application program. The secure application program is executed exclusively within a secure execution mode within the microprocessor. The non-secure application programs are accessed from a system memory via a system bus. The microprocessor has a non-volatile enabled indicator register that is configured to indicate whether the microprocessor is within the secure execution mode or a non-secure execution mode, where contents of the non-volatile enabled indicator register persist through memory is coupled to the microprocessor via a private bus and is configured to store the secure application program, where transactions over the private bus between the microprocessor and the secure non-volatile memory are isolated from the system bus and corresponding system bus resources within the microprocessor.

Description

200949602 VI. Description of the invention: [Technical field to which the invention pertains] The present invention relates to the operation of a two-woman full execution mode in the field of microelectronics > sniper ^ β ^ ^ < 7 Allows the operation of a stone horse in a secure environment within the microprocessor. [Prior Art] ❹ Straight-note notebooks, handheld computers and communication devices can be used as digital communication for confidential or special-purpose data and digital control content. The brain industry continues to develop new security for this hearing. For example, there are many established applications for downloading and managing digital sounds for free. 档案 a 档案 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 In particular, the above protects these rights through the use of security built into these applications, which are usually based on the security mechanisms provided by their host. σ ❹ In addition to the protection of digital content rights, Another factor driving the security of computer systems is the implementation restrictions imposed on the host platform itself. It is currently known that the mobile phone industry has provided what is called "Pay-as-y." in a particular communication device. By using this scheme, the user does not need to pay a monthly fee, but the amount of minutes of a call must be paid in advance. When used; when the number of minutes is 'in addition to emergency, the maker is denied access to the mobile phone network access to the call. As early as 2006, MICROSOFT and its partner companies have provided mainly to the emerging computer market, with pay-as-you-go, personal computers. In this case, the purchase of prepaid cards, when using the computers of these companies, CNTR2447/ 0608-A41940TWP 4 200949602% is paid for. In addition, U.S. Patent Application Publication No. 20060282899, which is incorporated by reference to the entire entire entire entire entire entire entire entire entire entire entire entire entire entire entire Includes one or more accessory modules customized to allow customized operating systems. In this application, the accessory module provides support or extension capabilities for the computer (which includes hardware, application software, peripherals, and support devices). Prior to setup, the digital signature can be used to determine the integrity of the secondary module and the verification certificate (certificati) can be used to determine if the additional module settings are authorized. This proves that the service provider can manage illegal or undesired modifications to the provided computer. In addition, digital rights management can be used to execute the use of accessory modules that match the license configuration. Not surprisingly, a real host of technical methods has been developed that provides circumvention security measures that appropriately protect and control access to rights control digital media, communication devices, and computer platforms. Recently, hacking (investigating illegal hackers) has become a research topic. In fact, the inventor of the present case has noticed that many works for tampering or completely invalidating security management are used to protect access and/or use of protected assets. By Andrew Huang, San

Francisco: No Starch Press, 2003 The book Hacking the Xbox: An Introduction to Reverse Engineering is one of the above works. This work is particularly focused on teaching illegal intrusion techniques to overcome the security mechanisms of the XBOX gaming platform produced by MICROSOFT, and provides the subject of computer security and reverse engineering, and discusses the weaknesses of the so-called "safe" computer platform. CNTR2447/ 0608-A41940TWf/ 5 200949602 % Therefore, platform builders and designers continue to engage in more efficient techniques and mechanisms to avoid unauthorized platform processing, whether the access is benign (eg probing or snooping) Malicious (such as destructive or violation of rights) or somewhere in between (such as tampering). Many of these mechanisms are used to prevent an intruder from actually accessing the platform, such as placing the platform on a secure base (such as a locked metal enclosure) or encapsulating a circuit with a weak point into the epoxide. However, these types of technologies are known to increase system cost and complexity. Other mechanisms use the security features provided by the specific computer architecture. Consider the two main security features that are known to be provided by the χ86 architecture: paged virtual memory and privileged execution. In the case of paging virtual memory, the basic operating system defines a separate virtual location space and access rights (eg, only execute, read only) for each application being executed, thus blocking another secret sneaky The application executes 'and prevents it from modifying the data in the defined area. However, since the data associated with the virtual address translation (ie, the pagination form) ® exists in the system memory and it appears on the system bus outside the host microprocessor 'so this data can be easily snooped and change. In the case of privileged execution, the χ86 structure provides several classes of execution privilege CPL0 to CPL3. Therefore, some system resources and instructions can only be accessed by the running application. It is generally known that the operating system components operate at the highest privileged class CpL, and the user application is classified as the lowest privileged class CPL3. However, those skilled in the art will be aware that some of the architectures are primarily developed to prevent software errors and prevent intentional or directed hacks. CNTR2447/ 0608-A41940TWf^ 200949602 It is not very effective. ^ Therefore, a variety of methods and devices have been developed that focus more closely on preventing intentional intrusion and takeover of the platform. In U.S. Patent No. 5,615,263, Takahashi teaches a security mode in a dual mode (this & 1 ^^ heart) processor. In normal/external mode, this dual-mode processor executes the deductions provided by external sources. These instructions are provided by the dual-mode processor's input/output, the '° dual-mode processor. This dual-mode processor enters a secure/internal mode when it receives an interrupt from a dedicated software or hardware. This interrupt is (4) in the presence of a dual-mode beta processor, the security function in the read memory. Based on this received interrupt, the wheel/man output of the dual-replacement processor is disabled. This confirmed security function is performed by a dual mode processor. During the execution of this safety function, any attempt to insert a non-received instruction is ignored. However, at the dual mode, the device can access the data specifically confirmed by the security function being executed. The girl, after the execution of the culprits is completed, performs an exit procedure so that the input/output of the dual-mode processor can be re-started by the input/output to the instructions provided by the external source of the dual-mode processor. Takahashi teaches that this security mode is used for encryption and decryption, and that the dual-mode processor processes the normal instructions and data provided by the external control channel processor through the bus, where the sink "IL is paid A standard bus architecture, such as the Industry Standard Architecture (ISA). This dual-mode processor is turned on in non-secure mode, and the security mode is initialized by an interrupt from software or hardware. In safe mode , a limited number of functions (ie instructions) for encryption and decryption can be performed. These functions are stored in a read-only memory (RO M), which is located inside the dual mode processor. The inventor of the present invention CNTR2447/ 0608-A41940TWi/ η 200949602 t-

Note that ' Takahashi's dual-mode processor is not appropriate, because ahasM's dual-mode processor can only execute a limited number of functions provided by internal R(10), including general purpose instruction applications (ie, in microprocessors). Any order) can not be executed in the safe mode - enter the country patent number 7 84, Ellis〇n exposes ^ establish the An Wang ring i brother's chip set, for a separate storage tester The at least one processor has and operates by being accessed by at least one processor or in the isolated execution mode. The leg_secure environment is based on an external chip, group=row circuit), which provides a mechanism to the processor to perform the isolation ==. = The external chipset is therefore configured with a secure memory area, "Decoding and translation of the isolation instructions, & bus cycle & 5:=. When this external chipset actively isolates the memory area: when ordering, etc. At this point, the external chipset is coupled to the at least-processor through a 7 ,, thus allowing for a sneak peek and traffic tampering on the bus bar in any secure thread's hoistway flow. In 7丨3〇95丨, Christie exposes a processor with a secure execution mode capability, which is interrupted so that when it is operating in a non-processor, it includes a processor with the ability to re-enable the security execution mode. At the time, the processor that interrupts this line mode is operating in a sneak peek = when there is a security stub interrupt to avoid this processor interrupt type, the security features expected in the banned complex are based on -^ The interruption is disabled when the instructions are provided through the system bus and are provided by an operating system. Like m: mechanism of CNTR2447/0608-A41940TW^1S〇n, 8 200949602 A device can be explicitly communicated to the processor via the busbar to make bus sneak peeks and tampering. In U.S. Patent No. 6,983,374, Hashimoto discloses a tamper-resistant microprocessor that saves its execution on its The content information of a program interrupted, wherein the processor state is encrypted and stored in system memory. Hashimoto also teaches techniques for extracting encrypted instructions from system memory and means for decrypting encrypted instructions and executing the encrypted instructions. In addition, Hashimoto teaches the use of a corresponding key to provide encryption instructions in memory, and then uses an asymmetric key algorithm to encrypt the symmetric key stored in memory. For the creator of the program Said that the symmetrical gold record is known 'and uses the public gold read from the processor to encrypt this symmetric key. This processor includes a unique private key, which is open to the public and the user can not Access. Therefore, according to the line of the branch instruction, the program control is transferred to "initial encryption execution, instruction, which transmits a label to plus Symmetrical Jinyu. The processor retrieves the encrypted symmetrical gold and decrypts its internal private money. Then, the encryption program instruction memory is retrieved and decrypted by using the decryption symmetric key. In the event of an interruption or anomaly, the state of the processor is cryptographically encrypted and stored in memory. Hashim〇t〇 exposes the common cache mechanism for ^, dense coding, interrupt logic, exception handling logic: The inventor of this case has been conscious of the fact that Hashim〇t〇's micro-processing eight-code is known to correspond to the safety of the stone horse. The symmetry of the gold cymbal, and the symmetrical key is leaked, therefore, all systems with this code will have to be attacked. > In addition, the inventor of this case has noticed that Hashi_::. CNTR2447/ 0608-A41940TWF 孬 Disadvantages 9 200949602 «- It is necessary to perform the decryption of the secure code in the operation of the capture instruction, which takes a lot of time, thus causing the processing power of the microprocessor to become slow. In addition, it is noted that Hashimoto's secure coding takes advantage of existing non-secure resources such as system memory, paging forms, interrupts, and exception mechanisms, all of which are subject to snooping. Accordingly, the inventors of the present invention understand that it is apparent that it is desirable to provide a microprocessor capable of executing an application or application thread including a general purpose instruction (i.e., any instruction in a microprocessor's instruction set) in a secure execution environment. © In addition, it is also expected that this safe execution environment will be isolated from any known methods of snagging and tampering. Therefore, instructions need to be executed by a secure execution mode microprocessor, and the secure execution mode microprocessor is isolated from the processor to provide access (eg, cache view, system bus flow, interrupt, and error and trace features). ) The hardware. In addition, it is more desirable to provide a mechanism to confuse the structure and content of an application from any existing monitoring device when the microprocessor loads the application and executes it securely, and provides a mechanism to prove the source of the application and confirm its integrity. Reality. SUMMARY OF THE INVENTION The present invention is applicable to solving the aforementioned problems and other problems, disadvantages and limitations of the conventional techniques. The present invention provides a preferred technique for enabling the execution of a secure application on a general purpose microprocessor platform. In one embodiment, an apparatus for providing a secure execution environment is disclosed that includes a microprocessor and secure non-volatile memory. The microprocessor executes a plurality of non-secure applications, and a secure application, wherein the secure applications are executed only in the secure execution mode of the microprocessor, and the non-secure applications are connected through the system CNTR2447/0608-A41940TW 10 200949602 &quot ;丨!· Access to system memory. A register to indicate that the microprocessor θ / includes a non-volatile enable indicator in full execution mode. During the safe execution mode of the microprocessor or the non-volatile non-volatile indication indicating the contents of the register ς 2 re-applied, the body transfers the microprocessor through the private bus. , :, send memory ί number of stream on the microprocessor and safe non-volatile:; use: corresponding system bus resources. (10) and the plural in the microprocessor. Another embodiment of the present invention describes the execution of the security processor in the security execution environment: the r processor device is used in the non-volatile memory and the ::: program. The microprocessor communicates through private convergence to execute multiple non-secure applications and execute in a secure mode: two packets of interface, early, secure non-volatile memory, volatilization enable register . The bus bar is single =, and the non-top wire is used to control the ice - the unloading is realized in the 汇 汇 = = = = = = = = = = = = = = = = = = = = = = = = = Safe Non-volatile Memory Interface Unit Transparency = : Discharge the microprocessor to safe non-volatile memory. In private = = multiple private bus data used to access secure non-volatile memory == to avoid being known by any device in the microprocessor system bus and the bus. Non-volatile (4) Γ Microprocessing 11 is in safe execution mode or non-safe execution mode. 1 During the power-removal and re-application of the broken processor, the contents of the non-volatile register persist. Heart CNTR2447/ 0608-A41940TW u 200949602 Security is implemented in a secure execution environment - the method consists of arranging all non-volatile memory for storage: : security; by means of a private data transmission on the private bus, The code is stored in a secure non-volatile memory, in which the private sink ❹ 排 轻 轻 全 全 全 全 全 全 ; ; ; ; 初始化 初始化 初始化 初始化 初始化 初始化 初始化 初始化 初始化 初始化 初始化 初始化 初始化 初始化 初始化 初始化 初始化 初始化 初始化 初始化 初始化 初始化 初始化 初始化 初始化 初始化 初始化 初始化 初始化= in the non-volatile enable indicator register; and through the private bus from the ς = non-volatile memory to obtain a secure code, the microprocessor to the bus to isolate all the system bus resources in the microprocessor Outside the microprocessor, and the private bus is only known and accessed by the microprocessor's logic.戈全执 Regarding industrial applicability, the present invention can be implemented in a microprocessor. This micro-processing is used for general purpose or special purpose, 1 [Embodiment] Clothing. The above described objects, features and advantages of the present invention will become more apparent from the description of the appended claims. The present invention is disclosed in the above preferred embodiments, but it is not intended to limit the scope of the invention, and the scope of the invention is not limited by the spirit and scope of the invention. Further, the scope of protection of the present invention is subject to the patent application and the network. In view of the above-mentioned background regarding the security, topography and application of techniques for preventing snooping, intrusion, tampering, or 骇== % 在一 in a microprocessor, the discussion of the present invention will be through Dijon. To the figure, CNTR2447/0608-A41940TW 12 Λ Re-regulation. 200949602 Referring to Figure 1, there is shown a schematic diagram of a secure execution mode (SEM) microprocessor in accordance with an embodiment of the present invention. This schematic depicts the system board 1 (or motherboard) where the SEM microprocessor 101 is configured. The microprocessor 101 is coupled through system bus 102 to one or more bus masters 103 and/or one or more bus agents 104. In one embodiment, the SEM microprocessor 101 is an x86 compatible microprocessor 101 coupled via a χ86 compatible system bus 102 to one or more χ86 compatible bus masters 103 and/or one or A plurality of x86 compatible bus management devices 104. In addition, the SEM microprocessor 101 is coupled to a battery VP which is disposed on the system board (main board) 1B and coupled to the microprocessor 101 via connection paths VP1 and VP2. In one embodiment, the voltage of the battery VP is 1.8V DC voltage (DC). The quartz XI is also disposed on the system board 100 and coupled to the microprocessor 110 through the connection paths C1 and C1. Microprocessor 101 includes SEM logic circuitry 105. The SEM logic circuit 105 in accordance with the present invention is configured to provide initialization, operation, and termination of a secure execution mode within the microprocessor, as will be described in more detail below. The SEM logic circuit 105 includes logic, circuitry, devices, or microcode (ie, microinstructions or native instructions), or a combination of logic, circuitry, devices, or microcode, or equivalent to initialize a secure execution mode. The components enable the SEM logic circuit 105 to load a secure application to execute, execute the applications in a secure environment, monitor some microprocessor and system characteristics in order to detect and prevent tampering, and terminate the secure execution mode if appropriate If the tampering is detected, the processing is suspended. The functions used to perform these functions with other functions in the SEM logic circuit 105 can be shared with other circuits, microcodes, etc., for performing other functions within the microprocessor 101. Microcode is a noun that refers to a plurality of microinstructions in accordance with the scope of the present application. A microinstruction (also known as a native instruction) is an instruction at the level at which a unit executes. For example, microinstructions are executed directly by a Reduced Instruction Set Computing (risC) microprocessor. For a complex instruction set computing (CISC) microprocessor (such as an x86-compatible microprocessor), the x86 instruction is first translated into the associated microinstruction, and the associated microinstruction is then directly A unit or a plurality of units in a CISC microprocessor are executed. The secure non-volatile memory 107 is also disposed on the system board 100, which is coupled to the microprocessor 10 via a private push bus (PVT BUS) 106 and a memory detection bus PSNT. According to the present invention, security The non-volatile memory 107 is a memory whose contents remain after removal and re-application of the power source. That is, the contents of the secure non-volatile memory 1〇7 are not changed when the power supplied to the system board is turned off or on. © In one embodiment, the secure non-volatile memory 107 includes flash read only memory (ROM) 'the size of which is equivalent to the size of the secure application to be executed in the secure execution mode. In one embodiment, consider a 4MB flash read-only memory as the secure non-volatile memory 1〇7. The data transactions on the private bus 〇6 are completely isolated from the system bus 102, the bus master 1〇3, and the bus management device 〇4, and the private bus 106 is located at the microprocessor ιοί. External. In one embodiment, the flash read only memory body 107 can be programmed up to 1 time. In one embodiment, the private bus 106 is contemplated to be implemented in a sequence of busses that provide CNTR2447/0608-A4194011^^ 14 200949602 data transfer between the secure non-volatile memory 107 and the microprocessor ιοί. This private bus 106 can conform to standard interface protocols, such as the Serial Peripheral Interface (SPI) protocol. In operation, battery VP and quartz 提供 provide continuous operation of the real time clock (Reai Time c丨〇ck, rTC) (not shown) in SEM logic circuit 105, which will be described in detail below. One or more secure applications, including one from the host architecture instruction set, are retrieved from the system s memory (not shown) through the system bus 〇2 and stored in the secure non-volatile memory 107. In one embodiment, one or more security schemes are encrypted using a private asymmetric key that belongs to the auth〇rizing party, and the security scheme is encrypted in its asymmetric encryption format. It is accessed from system memory. In one embodiment, it is contemplated to encrypt - or multiple secure applications via rsa algorithm rules. After this, or after multiple secure applications are ageed from the system memory, the microprocessor decodes the one or more secure applications with the corresponding public gold wire and confirms the one or more secure applications. According to the enabling of the security execution mode and according to a "initial security execution, the execution of the instruction, the complex cryptographic resources in the SEM logic circuit" to one or more security according to a pair: Should be 吏 = dense, in addition, the leg logic circuit 1〇5 is transmitted to the secure non-volatile = 1〇7 through private = encrypted - or multiple security applications. After that, the SEM logic circuit 2 = number force: or it comes to One or more: The microprocessor is just inside - the safe and isolated random memory is loaded to CNTR2447/0608-A41940TW k fat xvAiVL; 200949602 or a cache memory (not shown). Full execution mode), sEM logic circuit security application can learn about the resources of the system and these system resources provide internal non-security, non-security exception logic and tracking/debug logic. Or multiple security should be: = dedicated security execution resources within m 夕 105 to be lighted this & security application can then restore the processing mode to normal execution mode 'or if the detection = microprocessor switch to Have The function = π all the way with the tampering, SEM_ circuit 1G5 then make the microprocessor all shut down (hardware shutdown mode). Off = this - or multiple security programs (or, security editors (but not limited to this) perform critical security tasks such as credential verification, data encryption, and data decryption; monitoring is confirming the integrity of normal system software users/, installation. Extension with #源使用; new software installation In the example of the safety treatment system of the present invention, it is considered to use the type of safety _ hair memory = door CHAN = england Xl. These surface elements are assembled or other similar techniques welded on the system board 1 〇 ° The processor 1〇1 also executes instructions stored in the system memory (not shown), which are stored in the system memory (not shown) through the system bus bar 1〇2. In the concept of the present invention, micro The processor CNTR2447/0608-A41940TW j 200949602 101 can operate as a central processing unit (CPU) without the requirement of a coprocessor (c〇process〇r). That is, the micro processing of the present invention 101 can execute the host finger All instructions of the set 'and can execute all applications. Similar to the function of a single instruction, program thread or program fragment that can only be transferred from a main CPU. The processor is compared with the processor. 1〇1 directly executes all instructions in the corresponding application, whether the application is a secure application that stores secure non-volatile memory 107 or a non-secure application that is retrieved through the system bus. 102. 2 Figure 'State diagram 200 illustrates the most two-stage mode of operation in the microprocessor of Figure 1. In this highest class, the microprocessor 101 provides three main operating modes 201-203 and a hardware shutdown mode 2〇4. The non-secure execution mode 2〇1 is the default state of the default when the first power is supplied after the microprocessor 101 is manufactured. The non-secure execution mode 201 is also referred to as a native uncontrolled (b〇rn generation) mode π. The native uncontrolled mode 201 is the manufacturing state of the microprocessor 1.1, which provides normal execution of non-secure applications. Among them, these non-secure applications are accessed in the system memory through the system = bus 1. In this state, any resources associated with the secure execution of the secure application cannot be communicated and cannot be operated. These resources include SEM logic circuit 105, secure non-volatile memory 107, and some other special registers including symmetrical and asymmetric cryptographic keys, secure interrupts, secure memory (RAM), and other hardware. It will be detailed below in (4). By providing the original control type 201', the action type t (common to the non-secure microprocessor can be implemented) (this is due to the CNTR2447/ 〇608-A41940TWf) / 17 200949602 Native uncontrolled mode 201 provides for the execution of non-secure applications, so the same die design of microprocessor 101 can be added to non-secure Processor. In one embodiment, the pinout of the non-secure microprocessor is different from the SEM microprocessor 1.1, and if the f-safe microprocessor is configured on the security system board, it is not secure. The SEM logic circuit 105 of the microprocessor will be inoperable due to different power supply applications. In one embodiment, execution of the SEMENABLE instruction causes the mode of the microprocessor 101 to transition to the safe execution mode 2〇2. Both Secure and Non-secure applications are executable under Security© Execution Mode 202, but non-secure applications cannot access secure resources. Secure Execution Mode 2〇2 is also known as SEM-Enable Mode 2〇2. Under the control of the application (referred to as program control), the state of the microprocessor can be converted back to the native uncontrolled mode 201, however, the number of conversions to the native uncontrolled mode 2〇1 is limited. In an embodiment The processor can be converted back to the native uncontrolled mode up to 64. In another embodiment, the special (partlCular) Machine Specific Register (MSR) is written with a identifiable licensor. The mode of the microprocessor 101 is converted to the secure execution mode 202. The SEM logic circuit 1〇5 monitors the state of the corresponding microprocessor and is associated with potential tampering, and causes the microprocessor to self-safely execute the mode 202 based on one of these states. Switching to the degraded (operating) mode 2〇3. If some of the defined states are detected by the SEM logic circuit 105, the microprocessor 101 is automatically converted to the degraded mode 203. In the degraded mode 2〇3, The BI〇s instruction is executed to provide the user input and display of the message, but the execution of more complex software such as the operating system is not allowed. In the degraded mode 2〇3 CNTR2447/0608-A41940TW treatment 200949602, the secure encoding operation in the secure execution mode 2〇2 of the microprocessor 101 is turned off' but the BIOS instruction is still allowed to execute. In one embodiment, the BIOS instructions are executed by issuing an external interrupt and transfer status to the microprocessor and executing via the "machine" dedicated register to implement the SMI interrupt in the implementation of the downgrade mode 203. These result in the microprocessor being executed by the safe execution mode S. The defined state of the equation 203 may be the result of performing the security 2 conversion to the degraded mode, the hardware detection state, or the result of the security coding execution, or the complex The hardware detection state includes a monitoring state associated with the potential security and hardware detection state. In an embodiment, according to the storm, or tampering with the detection result, the SBM logic circuit 1〇5 attempts to clear the Defining one of the states volatilizes one of the data areas of the memory and attempts to place a secure non-volatile memory 107 in the processor. SEM logic circuit 1〇5 will be based on the success of the data area to the safety record. The power is cleared and the detection level mode 203. In addition, in the degraded mode 2G3, the device is switched to the drop-down control under the control of the security application (referred to as the security code, the state of the device) Switch back to safe execution mode 202. Control) 'Micro-processing some of the configuration and integrity confirmation related to the processor 1Q1 converted to hardware off mode 2G4. ^ Status can cause the micro-data to these defined states - detection As a result, in the example, the circuit of the root cleaning micro-processing m safe volatile memory ι〇5 attempts to record the detection result to the safe non-volatile memory 1 data area, and attempts to enter the hardware shutdown mode 204. The hardware is turned off 07, and the microprocessor is reset by the reset microprocessor to exit the hardware shutdown mode mode, and can only borrow 202 or degrade the mode 203 in a safe application in the safe execution mode CNTR2447 / 0608-A41940TW Under the radial system (referred to as process 200949602 type 1 control), the microprocessor 202 can enter the hardware shutdown mode 204. Referring now to Figure 3, the SEM logic circuit 301 in the microprocessor 300 of the embodiment of the present invention is shown. Detailed block diagram. SEM logic circuit 301 includes authorized public key register 318, processor key register 312, SEM initialization logic circuit 305, SEM monitoring logic circuit 306, SEM interrupt logic circuit 307, SEM exception logic 308, SEM timer 309, SEM real time clock (RTC) 310, non-volatile enable indicator register 328, SEM machine dedicated scratchpad bank 329 and secure volatile memory 302. The SEM logic circuit 301 is coupled to some other resources in the microprocessor 300, including: connecting the non-secure memory 325 through the bus bar 326, coupling the address logic circuit 323 through the bus bar 324, and coupling through the bus bar 320. The random number generator 319 is coupled to the AES/HASH/RSA unit 311 through the bus bar 321 and coupled to the other processor execution unit 313 (for example, an integer unit, a floating point unit, an MMX/SSE unit) through the bus bar 327, and is normally coupled. The exception logic circuit 314 is coupled to the normal tracking/debug logic circuit 315, the normal interrupt logic circuit 316, and the power management logic circuit 322. In one embodiment, the public key is provided by the licensor and the 'public key' during the manufacturing period of the microprocessor is permanently programmed in the authorized public key register 318. In one embodiment, the public key is a 24-bit RSA key' and the authorized public key register 318 includes a 1-24-bit fuse bank. Thus, this public key can be programmed during manufacture of the microprocessor 3, rather than after manufacture. Alternatively, the public key is programmed to secure non-volatile memory 107 by off-line large-scale initialization, wherein this offline large-scale initialization is used to program CNTR2447/0608-A41940TWfi, 200949602. Safe non-volatile memory 107. The ability to enable and initialize the secure execution mode 202 is a very critical security operation, and the Trojan horse (the finer Horse) may be installed (installed) into the security record so that the publicly available wire is not provided. To control the safe execution mode initialization program. The processor key register 312 is an aggregate of complex fuses that are actually distributed over the microprocessor die. These fuses are programmed during the manufacturing process in a unique and randomly generated set of states to form a unique record of the processor that can only be read by the AES/HASH/RSA unit 311 (also referred to as the encryption unit 311). There is no program interface for reading the processor record from the processor gold register 312. In one embodiment, processor key register 312 includes 128 fuses that are programmed as 128-bit aes (Advanced

The Encryption Standard 'AES) key is used to encrypt and decrypt the contents of the secure non-volatile memory 1〇7. That is, the processor symmetric key is used to encrypt the secure code for storage in secure non-volatile memory. The security key from the processor key register 312 is used to decrypt the secure code for further execution based on the security coded through the private bus 106. Therefore, the observer of the state of the private bus 1 无法 6 cannot decide which is transferring between the microprocessor 3 and the non-volatile memory 107. In one embodiment, the processor key register 312 includes 128 fuses that are randomly distributed among a number of other fuses within a fuse bank in the microprocessor 3. This fuse bank is placed below some of the metal layers on the microprocessor die. The SEM initialization logic circuit 3〇5 will micro-process the If 3〇〇t state according to the execution of the SEMENABLE instruction or other entry safety execution mode CNTR2447/0608-A41940TW& 91 200949602 when the conversion to the native uncontrolled mode 2〇1 (State in which the secure execution mode is enabled) The expected mechanism of Equation 202, SEM initialization logic 305 provides initialization of the secure execution mode 202. For purposes of illustration, the operation of the microprocessor 3 in accordance with the present invention will be described below in a manner that is used to enable and execute instructions from the secure execution mode 202 (e.g., SEMENABLE), although those skilled in the art will understand There are other ways to enable secure execution mode 202 and perform secure encoding from a secure execution mode, such as writing to a hidden register. The SEM initialization logic 305 records the state of the microprocessor 3 在 在 in the non-volatile enable indication register 328 in accordance with the successful execution of the SEMENABLE instruction. Recorded in the non-volatile enable indicator register 328 by the secure execution mode. That is, the non-volatile enable means that the non-volatile memory 328 is used to indicate whether the microprocessor is in a safe execution mode or a non-secure execution mode. During the power-removal and re-application of the microprocessor, the contents of the non-volatile enabler* temporary storage II 328 persist. In one embodiment, the non-volatile enable indicating register 328 includes a plurality of fuses disposed within the microprocessor 300, and the microprocessor can be secured

CNTR2447/ 0608-A41940TW No mode transfer to native uncontrolled mode 201 #Number corresponds to the number of specific materials in these fuses ^Microprocessor lion includes a single-single body configured on a single particle Circuit. In an embodiment, the sem logic circuit indicates the non-volatile enablement register according to the entry into the safe execution mode. The mode is safely executed and the non-volatile is not processed until the day is processed ||22 22 SEM monitoring logic 306 is used to monitor the security of the security code and data 'to monitor the environmental and physical properties of the system, including temperature, voltage, bus frequency, the presence of battery VP, the presence of quartz χ 1 and safe non-volatile memory The presence of body 107. The SEM monitoring logic 306 indicates tampering or suspected tampering to the SEM logic circuit 〇1, which causes the microprocessor 300 to transition to the degraded mode 203 or the hardware shutdown mode 204. The SEM interrupt logic circuit 307 provides complex interrupts and associated interrupt logic devices (eg, InterruptDescripts ❹ Tables, IDTs), which are only presented to the full execution mode in the safe execution mode 2〇2, S : ❹ , SEM interrupt logic circuit 3〇7 provides a safe interrupt in the middle

The executed secure application, and thus accessed by the secure application. Interrupt The mechanism for secure code execution is similar to the mechanism for performing normal mode. That is, according to the setting of the SEM towel, and by the appearance of SEMmT, the security coding state is saved and transferred to the security interrupt manager. Recovery by an interrupt instruction (eg, (4) execution restores control to a breakpoint in the secure code^ when the microprocessor is operating at Ann 200949602, it only appears to the secure application being executed under secure execution mode 202, and thus secure The application accesses. All secure codec exceptions and interrupts utilize a preset IDT, which is present in the SEM interrupt logic 307 to control the branch during the interrupt and exception periods. In an embodiment, The enabling of one of the security exceptions, the state of the microprocessor ~ is stored and the program control is transferred to a corresponding security exception manager, where the state of the processing H cannot be accessed by the non-secure application. Before the application is executed, the SEM logic circuit 301 disables the normal exception logic circuit 314' and when the microprocessor 300 is operating in the non-secure execution mode, the normal exception logic circuit 314 provides a short response to non-safe applications.

The plural is not a security exception. In one embodiment, any one or both of the security interrupts may occur during the execution of any of the SI applications. Awkward and slightly caused by ΪΠΐΙ: is configured to provide a microprocessor 3 〇. Private control transfer caused by external events 'such as keyboard events, I / O 埠 events, etc. - all exceptions are provided by the microprocessor · (d) events: system transfer, such as undefined opcodes, machines (maChlne check Errors>, and in one embodiment, a secure coded write to a dedicated scratchpad memory 329. = number t full temporary state 'which is loaded with complex indicators, and security interrupt management in these indicator security codes And security exceptions exceptionβ exception. IDT provides a transfer to the security should be the number of security interrupt managers and complex security exceptions = the default pie includes the program control transfer to the microprocessor ^ CNTO2447 / 0608 - A41940TW^ „ Researched a 200949602 200949602

The SEM timer 309 is a plurality of timers that are only presented to the secure application that is executing in the secure execution mode 2 and thus accessed by the secure application. The SEM timer 3〇9 includes complex interrupts that can be accessed by the secure code operating in female full execution mode 2〇2. Real-time = 31 〇 its duration (four), which only appears to the security application being executed under the female full execution mode 202 and thus the value of the real-time clock should be accessed by the security cannot be different from the operation in the Queen's stub mode Security code under 202

Information on the safe execution mode reset operation. In one embodiment, based on the enabling of the safety interrupts, the state of the microprocessor is stored and the program control is transferred to a corresponding safety interrupt manager, and the state of the microprocessor cannot be caused by the non- Secure application to access. In one embodiment, the state of the microprocessor is stored and the program control is transferred to a corresponding non-secure interrupt manager based on the enabling of one of the non-secure interrupts, and the state of the microprocessor cannot be Wait for non-secure applications to access. The SEM machine-specific scratchpad memory 329 includes a plurality of mechanical == ^ temporary deposits 11 only appearing to the safe execution mode mode ^ New security (four) material transfer. This controller is used to enable load/store access to the secure non-volatile memory in real time and SEM timer 3〇9. The non-secure memory 325 is used as a command and data cache for the instruction type. The non-female full application is used for the safety of the memory. Non-device to execute. In the micro-processing application, it can be known by the micro-processing resources and access non-animated private and other systems. ·surface. Not the Queen's money body 325. Safe Volatile Memory 200949602 302 is a safe application for fast execution and safe execution of a command and data that is being safely executed. Safe Volatile Memory 3〇2, 2: Body. Going to the secure execution mode 202, 嶋3.3, which is used to store and retrieve the state of the processor to store the processor. The micro-processing φ is provided to store the security code. The other stacks are completely isolated from the system and are cleared. The normal intrusion order in the circuit 323 is the reference address and the register is saved. (normal segment = Stt. This normal fragment is temporarily stored. The device is initialized when the safe volatilization memory 3〇2 (not the tethered memory) enters into safe execution. This normal system memory is also executed in the secure execution mode of the secure code, through the address The logic circuit 323 is accessed using normal manned and stored instructions. However, based on the execution of the secure code, the SEM logic circuit 3.1 commands the address logic circuit 323 through the bus bar 324 to stop virtual address translation. Since the virtual-physical address translation is disabled for instructions and data, the address provided through the bus 324 and provided by the secure code must be a physical address. By doing so, the SEM logic blocks the paging. Wrong, In this embodiment, the secure volatilization memory 302 is completely owned by the on-chip cache memory in the microprocessor 300, but the security is CNTR2447/0608-A41940TWf/ 26 200949602. The memory 302 cache line has specific internal properties that completely isolate these cache lines from the microprocessor bus. These cache lines are not coupled to the external = system memory, so these cache lines cannot be self-memory The body loading buffers are stored in the system memory, and these cache lines cannot be externally or internally viewed by any of the sinking sources. In one embodiment, the secure volatile memory 3〇2 includes 4K 64-bit fast. In the secure volatilization memory 302, a cache line is assigned by moving from the = data to one of the previously unreferenced cache lines. In one embodiment, the secure volatilization memory 302 includes One of the 96 locations of the 64-bit cache memory, each of which includes an internal attribute, and the internal attribute completely isolates each of the locations. In another embodiment, security Volatile Memory 3〇2 includes random access memory that is separate from the cache memory on the wafer within microprocessor 300. The execution of the SEMENTER instruction provides full execution of the code in a secure execution mode. In the example, the secure execution mode 202 provides a secure edit according to the modified 32-bit x86 real mode. When performing secure coding, it is prohibited to enter the x86 protected mode by the secure execution mode 2〇2. In the secure execution mode. Before execution, the sem initial circuit 305 disables the positive "^ security" interrupt logic circuit 316 by setting the coincidence energy signal (10). Prior to execution of the secure execution mode, the priming logic 305 also disables the normal (i.e., non-secure) exception logic 314 by setting the enable signal (10), and also disables the phase 5 and the uniform signal DISDL. Normal (ie, non-secure) tracking/debug logic 315. In addition, power management logic 322 is disabled by the setting of the signal DISPML before the security mode is executed. Through these security CNTR2447/ 0608-A41940TWfi, 27 9 200949602 Shi, there will be no normal bus interruptions 'blocking exceptions, avoiding bus tracking cycles, and disabling debug output 埠 = green security code execution period _ disable all remaining processor resources JTAG detection mode, cache test). Otherwise, power management logic 322 allows the microprocessor 3 to enter a reduced power state, such as the p state and the c state in the 86 phase valley embodiment. Used to avoid conversion of power state during secure code execution.

Through the bus bars 320, 321, and 327, the secure code can access the processor execution unit (execution unit in the processor 300) 313, the random number generator 319, and the AES/HASH/RSA single it to execute the microprocessor instruction set. All of the instructions, including the hardware implementation of the real random number and can be used by the programmed macro to perform rsa encryption, decryption, and identification check; AES encryption and decryption, and = Al/SHA-256 Secure Hash Algorithm (SHA, Secure Hash Algorithm). These hardware implementation functions are

The AES/HASH/RSA unit 311 is executed.

Referring now to Figure 4, an illustration 400 illustrates how full encoding can be stored, accessed, and initialized within the microprocessor of the present invention. Figure 4 illustrates a microprocessor 4〇1 capable of performing a female full execution mode (SEM) coupled to the BIOS memory 410 and the system memory 420 via the system bus 425. According to the present invention, the microprocessor 401 is also coupled to the secure non-volatile memory 430 via the private bus 431. The microprocessor 401 includes a secure encoding interface logic circuit 402' coupled to the random number generator 412, the processor key register 413, the authorized public key register 404, the AES/HASH/RSA single 405 (or Weighing unit 4〇5), safe volatilization memory 4〇6, SEM CNTR2447/ 0608-A41940TW^ 200949602 Monitoring logic circuit and SEM initialization logic circuit. The secure code interface logic circuit 402 additionally interfaces the bus interface unit to the non-volatile memory interface unit 407.图示 The shed also indicates the security codes 411 and 421 stored in the system memory 420 and (4) S memory. In an embodiment, the security code 411 stored in the deleted memory 410 is mainly used to provide the operation of the microprocessor Yang in the degraded mode 2〇3, and the security code 42i stored in the system memory is used to Provides operation of the microprocessor in safe execution mode 2〇2 ©. In operation, the operation of the elements illustrated in Figure 400 is substantially similar to the similarly named elements previously described with reference to Figures 1-3. The purpose of the discussion with reference to Figure 4 is to provide a clearer focus on those component stencil techniques that are used to store, access, initialize, and execute the secure code in the secure environment of the present invention. In addition, the environment in which secure coding is performed is isolated from the environment in which non-secure coding is performed. As previously stated, the native uncontrolled mode 2〇1 only allows the execution of non-female full encoding. The secure execution mode allows the execution of both non-secure coding and secure coding. The state of the microprocessor 401 is saved before the security code 421 is executed. This state is restored based on the conversion back to the execution of the non-secure code. This state is stored in an area within the secure volatile memory 4〇6 and this state does not appear on the microprocessor bus 425. In addition, the security codes 411, 421 are executed from the secure volatilization memory 406. In addition to isolating the secure volatile memory 406 from the hardware and software 'all other' side phannels associated with the microprocessor bus 425, (eg, debug exceptions and execution tracking features) are disabled, such as The CNR2447/0608-A41940TW public 200949602 is discussed in Fig. 1_3. The security codes 411, 421 are only provided to the SEM interrupt logic circuit 3〇7, the SEM exception logic circuit 308, the SEM real time clock 310, the SEM timer 310, and only the security code 411. The other processor resources utilized by 421 are exclusively accessed. Further, the microprocessor 401 provides SEM monitoring logic 408, i including an asynchronous monitoring and monitoring mechanism, wherein the asynchronous monitoring and monitoring mechanism is independent of the security code 411, 421 and non-secure execution. SEM monitoring logic 408 monitors the environment of the microprocessor (eg voltage, ❹ temperature, bus operation) and physical characteristics, and also checks the security code 4^, 421 (security application) and related The honesty of the data will be described in detail below. When security exposure is detected, the SEM monitoring logic 408 is transparent. The bus CHK transfers the program control to the secure coded error management device (secure_e〇de erw handler) of the security code 411, 421, or the SEM monitor logic circuit 408 will pass through the bus bar CHK when a serious security exposure is detected. The microprocessor 4 is stepped into the degraded mode 203. In one embodiment, the secure encoding interface logic circuit 402 monitors the plurality of instructions present in the security codes 411, 421 and provides these instructions to the bus via ms. The SEM monitors the logic circuit 4〇8 to support the instruction set architecture (Instructi〇set, ISA) operation defined by the microprocessor 401. According to this embodiment, when the microprocessor 4 is operating in the secure execution mode, The inventive microprocessor 〇1 is only allowed to execute certain instructions in the host isa. That is, the defined ISA operation causes the execution of the plurality of non-secure instructions to be blocked by the logic circuit, and the execution of the non-secure instruction is the licensor The non-secure instructions to be blocked include one or more opcodes taken from one of the instruction sets of the corresponding microprocessor CNTR2447/0608-A41940TWfy 200949602. In the x86-compatible embodiment, the generation or execution of more than 100 microinstructions or certain types of instruction requirements will be blocked. On the other hand, when the microprocessor 401 is operating in the secure execution mode, The licensor may desire to block the execution of all instructions 'eg task switching, call gates, etc. By providing each instruction in the security codes 411, 421 to the SEM monitoring logic 408, the microprocessor of the present invention The 401 enables a defined ISA operation. In an embodiment, the instructions in the defined ISA instruction set (ie, the instructions that are executed in the secure execution mode) are represented by the value of the instruction array (not shown) in the SEM monitoring logic circuit 408, and will be Detailed description below. The SEM monitor logic 4〇8 causes the microprocessor 401 to enter the degraded mode 203 when encountering the above blocked instructions. In one embodiment, the secure encoding interface logic circuit 4〇2 provides instructions in the security code 4U, 421 to the SEM monitoring logic circuit 4〇8, and when loaded, loads the security codes 411, 421 into a secure volatile memory profile. For subsequent execution. The ability to move in and initialize the safe execution mode is critical. (4) 'In addition' it indicates that the g-trojan program is called (four). (4) The security enters the memory 41〇, 42〇 containing the security codes 411, 421. The encryption algorithm and a corresponding set of asymmetrically encrypted microprocessors 401 prevent this exposure by controlling the security execution module. In the embodiment, the non-sister brain bit heart: and =:== the authorizer or authorized object (enti Wei chuanchuan CNTR2447/0608-A41940TWfy fork king 狝 code 411 200949602 421. Between the three pictures, one of the two gold records is stored in the manufacturing process of the micro-processing 11 401 and used to decrypt the data according to the asymmetric key 318' of the asymmetric key:: , among them, this capital

Because: the - tone 'asymmetric key (ie private key) is encrypted. In the π eight f ^ example, this operating system performs SEMENABLE two-different--. This command transmits the secret key through the licensor's private key β Ο 荖. The secure encoding interface logic circuit 402 is connected to the 222/4 gold (4) memory 11404 to access the public record, and the ASH/RSA unit 405 decrypts the SEM enablement parameter. According to the verification of the SEM enablement parameter, the initial logic circuit is initialized, the safe execution mode 2G2, that is, the safe execution mode is enabled to execute the queen application. In addition, the SEM initialization logic circuit 4 (10) indicates the microprocessor H 401 After the SEMENABLE command is restored (her fn), the microprocessor T 4〇1 f is held in the non-secure execution mode 2〇1. In the embodiment, the authorization of the security execution mode 2〇2 (and if there is a corresponding error state, if any) is provided with a response code (on rn(7)(4). The authorized public key is programmed directly into the authorized public key register 4〇4 during manufacture, and in another embodiment, the authorized person programs the authorized public key to the secure non-volatile memory 43 The public key area 432. Therefore, when the microprocessor 4〇1 is powered up, the secure non-volatile memory interface unit 4〇7 detects and retrieves the public key from this area 432. The secure coding interface The logic circuit 4 (10) then burns the gold record and the parameters indicating that the gold output has been programmed, to the authorized public key register 404. This alternative embodiment is in the manufacture of the secure non-volatile memory 430. At the stage, a more flexible disclosure of gold CNTR2447/〇60S-A4l940IWC, 32 200949602 two with two non-volatile memory interface units 4. 7 through the private bus I311 processing $4G1_ to safe non-volatile (4), Private = fair The 431 is used to access the secure non-volatile memory. The complex private (four) stream data transmission is concealed to avoid being detected by any device in the microprocessor tree and the device that is connected to the system bus. Non-volatile memory interface single ^ „ 疋 疋 疋 疋 safely coded interface logic

The circuit 402 manages. Based on the collation-enabled parameter, the secure non-volatile memory interface unit clears the contents of the secure non-volatile memory 430 by performing random number writing. In the _眚&^ embodiment, each position in the secure non-volatile body 430 is randomized 耷 ’ and a is smashed 64 times. In one embodiment, the random number of parent writes is generated by random number generator 412. The SEMENABLE command (the SEM enabling mechanism) also transmits an indication of the location of the security code 411, 421 in the BIOS memory 410 or system memory 42 and any initial security data (i.e., enabling parameters). This indicator and data (i.e., enabling parameters) are formatted according to a predetermined structure and are encrypted according to an asymmetric gold recording algorithm. The encrypted indicator and data are decrypted and the format is checked. An unsuccessful check results in a response to the error code. If the indicator and data are confirmed and verified in terms of structure, the secure code interface logic 402 instructs the bus interface unit 403 to extract the security codes 411 and 421 from the memory 410 and/or the system memory 420. The security codes 411, 421 have also been encrypted by using the privilege of the licensor and are encrypted according to the asymmetric gold recording algorithm and must be commensurate with the preset structure. The secure coded interface logic 402 utilizes the authorized public key temporary storage CNTR2447/0608-A41940TWf/33 200949602 404 and AES/HASH/RSA unit 405 to unpack the encrypted secure code 411, 421. After the check is in the correct format, the secure encoding interface logic unit 402 utilizes the AES/HASH/RSA unit 405 to securely encode the content according to the symmetric encryption algorithm and using the contents of the processor key register 413 (as a symmetric record). The data is encrypted. As mentioned before, the contents of the processor key register 413 are 128-bit randomly generated keys unique to the microprocessor 〇1, and the symmetric encryption algorithm includes the use of 128-bit modules and Electronic Code Book (ECB) © Mode Advanced Encryption Standard (AES). This symmetrically encrypted security code is then written to the secure non-volatile δ ** memory 43 0 through the secure non-volatile memory interface unit 4 〇 7 . In addition, the secure encoding interface logic circuit 402 utilizes the AES/HASH/RSA unit 405 and the processor key register 413 to generate a plurality of hashes of the selected portions of the security encoding, and the secure encoding interface logic circuit 402 encrypts and encodes the hashes. Write to secure non-volatile memory 430. In one embodiment, these hashes are generated in accordance with the sHAq algorithm. In addition, the SEM initialization logic circuit 4〇 disables JTAG, detection mode, cache test, or disables other processor characteristics that are monitored by the machine's secure code as discussed in Figure 3. When encoded and hashed security code has been written to the secure non-volatile memory 430, the microprocessor 401 sets the non-volatile enable indication register (shown as 328 in FIG. 3) to indicate the processor 4〇. 1 is operating in secure execution mode 202 and SEM initialization logic 409 forces microprocessor 4〇1 to perform a reset sequence (RESET se. quence). The partial reset sequence causes the non-volatile enable indication that the contents of the scratchpad are read by CNTR2447/0608-A41940TWf/-ιλ 200949602 ❹ 且 and if these indicate that the processor 401 is in the secure execution mode 2〇2, then Perform additional operations specific to Safe Execution Mode 2〇2. Therefore, the security codes 411, 421 are initially encrypted and loaded by the authorizer into the memory 410, 420. When the security·execution mode is enabled, the microprocessor 〇1 retrieves and checks the secure code according to the asymmetric key algorithm and using the key provided by the licensor. The processor unique key is then used and the code is encrypted and hashed according to the symmetric key algorithm, and the symmetrically encoded code is written to the secure non-volatile memory 43 via the private bus #431. ''·, further details from the liver, when the security code is to be executed, the secure code is retrieved from the secure non-volatile memory 430 by the secure non-volatile memory interface unit 407, and stored in the processor key temporarily The processor key of the memory 413 is decoded, and the secure code is written to the secure volatile memory 406 'where the 'safe volatile memory' is completely (4) the hardware and/or (d). The volatilization memory of the shirt = the memory boat contains the instructions and the information system that can be used to store the security application. The security non-volatile clock interface unit is a multi-machine temporary storage 5|, and the installation is straightforward. For security, _, these machine circuits 402) a full-fledged application (or secure coding interface logic to perform the loading of the secure non-volatile memory 43〇 与 = and = 1: on the τ pair of hidden machinery dedicated coffee The read and write authors of the Queen's non-volatile memory can advantageously combine the micro-processing mode environment, and by Μ P 1 h (four) and security enforcement CNTR2447 / 0608-A41940TW ^ ; " Bus 425 and private confluence 35 200949602

The data transmission of the V-row 431 is encrypted, so the structure and function of the secure code are protected from any reverse engineering and other snooping/intrusion techniques. Referring now to Figure 5, there is shown the details of the SEM monitor logic circuit 500 in the microprocessor of Figure 1. The SEM monitoring logic circuit 5 includes a physical environment monitor 501 coupled to the secure non-volatile memory 107 via the signal PSNT, coupled to the battery VP via the signals VP1 and VP2, and coupled to the quartz via the 匚1 and C2. The physical environment monitor 5〇1 provides an output signal through the bus NOBOOT. The SEM monitoring logic circuit 500 also includes a bus timing monitor 5〇2 having a frequency reference unit 503. The bus clock monitor 5〇2 is coupled to the bus bar clock provided to the microprocessor via the signal BUS CLK, and the output of the bus clock monitor 502 is coupled to the bus bar TAMPER. The SEM monitoring logic circuit 500 also includes a processor voltage monitor 504 coupled to the power supply voltage and the plurality of bus terminal voltages via the signal VDD and the BUSTERM, wherein the power supply voltage and the bus terminal voltage are provided by the system board to the microprocessor. Device. The SEM monitoring logic circuit 5〇〇 also includes a temperature monitor 505 coupled to the processor temperature sensing logic circuit (not shown) via the signal TEMP. The SEM monitoring logic circuit 500 further includes a data monitor 506 that passes through the bus bar. The CHK is coupled to the secure coding interface logic circuit 402. The output signals of the bus timing monitor 502, the processor voltage monitor 504, the temperature monitor 505, and the data monitor 506 are coupled to the bus bar TAMPER. The SEM monitoring logic circuit 500 further includes a security time stamp counter 507, which is coupled to a normal time stamp counter 508, a signal CORE CLK, and a ratio CNTR2447/0608-A41940TWf/36 200949602 (Ratio A mechanical dedicated register 509. The output signal of the safety time stamp counter 507 is coupled to the bus bar TAMPER. The SEM monitor logic circuit 500 also includes an instruction monitor 511 that couples the instruction array 512 to the bus bar INS. As discussed with respect to Figure 4, when the microprocessor is executing in the secure execution mode, instructions within the secure application are provided to the SEM monitoring logic 500 to support execution of instructions that are restricted within the host ISA. The output signal of the command monitor 511 is coupled to the bus TAMPER. Finally, the SEM monitoring logic circuit 500 has a pattern monitor 510 coupled to the bus bar PINCHK and generating an output signal on the bus bar DESTRUCT. The bus bars NOBOOT, TAMPER, and DESTRUCT are lightly connected to the monitor manager 513. In one embodiment, the monitor manager 513 generates signals CLASS 1, CLASS 2, CLASS 3, and DISABLE. In operation, SEM monitoring logic circuit 500 is used to perform hardware and software verification 'which monitors the physical and temporary properties of the microprocessor of the present invention to extract, identify, and classify operating events, where An event is an operating environment that is not safe for secure coding, such as changing or removing a battery, a quartz or a secure non-volatile memory; replacing the secure microprocessor of the present invention with a microprocessor of the present invention Modify the frequency of the m-slot clock, tamper with the microprocessor power supply voltage Vdd, modify the encryption security code in the system memory, BIQS memory or secure non-volatile memory; and over-hook for the security code itself. (excessive calls). Therefore, when operating in the safe execution mode, the physical environment monitor 5〇1 CNTR2447/ 0608-A41940TW treatment 200949602 200949602

Any changes described above are detected and the change is output to the bus n〇b〇〇t.

The secure non-volatile memory 107 is coupled to determine whether the secure non-volatile memory 107 is removed by monitoring the state of the signal PSNT. The de-assertion of the signal PSNT indicates removal of the secure non-volatile memory 107. Similarly, the signals VP1 and VP2 are monitored to determine if the battery voltage has changed or the battery has been removed or to determine if the voltage corresponding to the battery is being charged. In one embodiment, the value of VP1 is proportional to the battery voltage. Similarly, the state of signal ci and its state indicates the presence or absence of a quartz. Suppose the physical environment monitor 5〇1 In addition, when operating in the safe execution mode 2〇2, the bus time clock monitor 502 estimates the frequency of the BUS CLK to determine the short-term and (four) integrity of the system bus time clock. , the towel, (10) the hidden clock is provided to the microprocessor through the system board. The bus clock is routed to the bus clock monitor 5〇2 through the signal Bus clk, and the bus timing monitor 5〇2 uses an internal phase-locked loop (not shown) to check the short-term bus. Pulse error, its + '(four) phase-locked loop is synchronized with the bus clock and used to generate the clock for the microprocessor. The bus timing monitor moves to determine whether the bus cycle is uncomfortable. The period is (4) flat, or whether the clock change has exceeded an acceptable level (for example, a specific range, in an embodiment, more than six percent) The change is considered unacceptable. In addition, the 'bus clock monitoring_ uses the frequency reference unit 5〇3 for the temperature- and voltage-independent intermediate speed oscillator circuit. When the frequency reference unit 5〇3 is generated with the system bus Pulse proportional - reference frequency. Confluence clock monitoring ^02 compare system bus timing derivative (four) and clock reference single το 5〇3 output (reference frequency) to determine whether the bus clock frequency has been counted The frequency of the stepwise (four) ual is changed to cause any event on CNTR2447/0608-A41940TWf7, 〇3〇200949602 to occur, this event is reported to the monitoring manager 513 (SE1V [logic circuit 301) via the bus TAMPER, which will cause microprocessing The device enters the degraded mode or enters the hardware shutdown mode 204. The processor voltage monitor 504 estimates the power supply voltage and the complex bus terminal voltage supplied by the signals VDd and BUSTERM and applied to the microprocessor. The above voltage limits are programmed through a mechanical dedicated register (not shown). Once the power supply voltage and the complex bus terminal voltage deviate from these programming limits, the processor voltage monitor 5〇4 ^ © reports this event to the monitoring manager 513 via the bus TAMPER. Temperature monitor 505 includes a precise thermal monitoring mechanism (in addition to the normal thermal monitoring function) that continuously monitors the die temperature at preset high and low temperature limits. One of the grain temperatures, a low temperature limit and a high temperature limit, is programmed by a mechanical dedicated register in temperature monitor 505. This high and low temperature limit is stored in the mechanical monitoring register in the temperature monitoring cabinet 505: Among them, these mechanical dedicated registers can be safely coded. Once the temperature of the crystal 11 deviates from the above-mentioned preset high and low temperature limits, the temperature monitor reports this event to the monitoring management via the bus bar TAMPER. The data monitor 506 is used to detect complex encryption and configuration errors associated with security coding and security data when the secure application is taken from a secure non-volatile memory gym. These complex encryption and configuration errors are reported to the monitoring manager 513 via the bus TAMPER. For example, these errors are errors with the SEMENABLE and SEMENTER instructions, decryption errors detected when the security is captured from the memory, and mismatches and formatting errors in the security code. CNTR2447/ 0608-A41940TWf7 39 200949602 The safety time stamp counter 507 is coupled to a core coffee to calculate the full correction execution.

The number of cycles of CLK. Safety time stamp counter 5〇7.唬CORE device 5〇8. The normal time stamp counter 5〇8 is calculated during the execution of the hang timestamp count code C0RECLK=Gold bat or safe programming is being executed or when the security application is not performing ^^ counter 508 calculation signal (10) Ε (χκ之Number of cycles; two = (four) 507 is also coupled to a ratio of mechanical dedicated register 5〇9 ==5. 9 only known by the security application and access rate = coded comparable ratio mechanical dedicated register · binding - Mechanical dedicated register write to establish between (508 and safe time truncation counter tear (: face mr coffee). This maximum ratio indicates that the security application has been called = number. If this maximum ratio is exceeded In this way, the security code is indicated to be more than the specified number of times. Then, the security time counter 507 transmits the event (when the maximum ratio is exceeded) to the monitoring, that is, the female full time counter 507 is used. Comparing the number of signal CORE CLK cycles with the value of positive f_counter_, and reporting the event that the maximum ratio is exceeded to the monitor manager 513. The maximum ratio is programmed by a mechanical dedicated register in the logic circuit. Means The monitor 511 refers to the instructions in the secure application with the host ISA and indicates when the instructions within the application and not within the subset have been programmed for subsequent binding. The subset of instructions executed within the secure execution mode is represented by the value of the array 512. In one embodiment, the subset is included in one or more specials from 4Π200949602, like ^^2447/ 0608-A41940TWC An instruction, such as an arithmetic code (〇pc〇de), is identified in another embodiment. 'This subset includes - or a plurality of instruction types, such as a microcode complex value. In a third embodiment The subset includes - or a plurality of tag codes, tag eQdes), each associated with - or a plurality of instruction opcodes. The instruction set 歹 012 is coupled to the instruction monitor 511 for identifying the corresponding microprocessor A subset of all instructions within an instruction set architecture, the instructions including instructions that are allowed to execute within a female full execution mode. The subset of instructions used to execute in the secure execution© mode is identified by the value of the instruction array 512. In an embodiment, this refers to Array 512 includes a mechanical special register that is initially written by a secure application. In another embodiment, instruction array 512 includes a plurality of fuses that are programmed (burned) during manufacture. During the initialization of the mode, when the security code is being transferred from the secure non-volatile memory to the secure volatile memory for subsequent execution, the value of each specific instruction in the corresponding security code is transmitted by the secure coding interface logic circuit 402 through the bus bar ins. The instructions are provided to the instruction monitor 511. In one embodiment, the value of 1NS indicates that each particular instruction corresponds to a particular opcode or subset of opcodes within one of the instruction set architectures of the microprocessor. In another embodiment, this value indicates the type of these instructions (e.g., simple, complex, etc.). In yet another embodiment, this value is a label corresponding to one or more instructions within the ISA. In another embodiment, before the execution of the secure code, when the secure non-volatile memory is being programmed, the value of each instruction in the secure code is provided by the secure coded rain logic circuit 402 through the bus INS. . The instruction monitor 511 compares the value of the INS with the number of instruction arrays 512 CNTR2447 / 〇 608-A41940TWf / 41 200949602 value ' to determine whether to allow execution of a particular instruction. If not allowed, the command monitor 511 sets the signal to the busbar TAMpER. The style monitor 51 is coupled to the busbar DESTRUCT to detect the installation of the system board by an unsecured version of the microprocessor of the present invention, wherein the system board is a secure microprocessor configured for the present invention. In one embodiment, the non-secure microprocessor and the secure microprocessor have different pinouts. The state of the particular pin that differs between the two versions is the input signal through the bus bar PINCHK as the pattern monitor 51. The mode monitors the state of the bus PINCHK, and if it is determined that the non-secure version is installed, the event monitoring manager 513 is reported through the bus DESTRUCT. That is, the bus DESTRUCT provides a complex state for the particular complex pin configuration of the microprocessor, and the pattern monitor estimates the complex state to determine if the microprocessor is configured with a secure version to operate in the secure execution mode. The monitoring manager 513 dynamically monitors the physical and operational environment of the microprocessor by paying attention to and estimating the data transmitted through the busbars NOBOOT, TAMPER, and DESTRUCT. The monitor manager 513 sorts the above data to indicate the security level associated with the execution of the secure application' and causes the SEM logic within the microprocessor to perform the reaction operations according to the security level. For the execution of secure applications, the SEM monitoring logic circuit 500 includes asynchronous monitoring, monitoring mechanisms, and monitors that operate independently. Some of the following conditions will result in the setting of the signal CLASS1, such as the short-term error of the frequency of the bus BUS CLK reported by the bus TAMPER. The SEM logic circuit records this event (log) (detection signal CLASS1) to the safety event record table of the CNTR2447/〇608-A41940TWf 42 200949602 in response to the setting of CLASS1 and issues an interrupt to the security. coding. If the interrupt is not received (acknowledged), the monitor manager 513 sets the signal CLASS3. The monitoring manager 513 sets the signal CLASS2 if a complex event (more than one event) that causes the signal CLASS1 to be set is detected, such as an error in the error of BUSCLK and VDD. The SEM logic attempted to clear the data area of the safe volatilization memory and attempted to record this event to a secure non-volatile memory. Also, check the hash of the security code in the BIOS. If the data area of the safe volatilization memory is successfully cleared and this event (setting of the detection signal CLASS2) is recorded, and if the BIOS hash is correctly proved, the SEM logic circuit starts to transition to the degraded mode 2〇3. This degraded mode provides limited functionality, error display, and limited user input related instructions. An error in either of these actions results in the setting of signal CLASS3. The setting of the signal CLASS3 indicates a security violation. In response to the setting of the signal CLASS3, the SEM logic continues to attempt to clear the safe volatilization memory and attempts to record this event (the setting of the guess signal CLASS3) to the secure non-volatile memory, and in addition, causes the microprocessor to enter the hardware shutdown. Mode 204, that is, the microprocessor stops operating. In one embodiment, the monitor manager 513 determines whether the style monitor 51 has δ set the DESTRUCT number 4, thus indicating the installation of the non-secure version of the microprocessor of the present invention. If the signal DESTRUCT is set, the signal DISA is set if the data on the bus bar indicates that the quartz and secure non-volatile memory are present. In response to signal DISABLE 6, the SEM logic circuit stops the non-secure microprocessor

CNTR2447/ 0608-A41940TW 200949602 Operation. The above-mentioned monitoring manager 513 sets the signals CLASS1, CLASS2, CLASS3 and DISABLE to transfer the program control to one of the complex event managers in the secure application. For example, when there is security violation, the signal CLASS3 is set, and the SEM logic circuit is Continue to attempt to clear the safe volatilization memory and record this event to the secure non-volatile memory, and continue to try to force the microprocessor into the hardware shutdown mode, ie the microprocessor stops operating. The above-described case in which the monitor manager 513 sets the signals CLASS1, CLASS2, © CLASS3, and DISABLE is merely an example and is used to teach the security environment management of the present invention. Those of ordinary skill in the art will appreciate that the category of security events and the appropriate response are governed by the particular security environment required, and therefore, the present invention encompasses the above-described categories of security events and other methods of appropriate response. Referring now to Figure 6, a state diagram 600 details the mode of operation of the microprocessor of the present invention. The state diagram 600 includes a native uncontrolled mode 6〇1 ❹ (or non-secure execution mode 601), a degraded mode 605, and a hardware shutdown mode 606, as similarly named components in FIG. 2, differing in that A detailed description of the limited number of times that the native uncontrolled mode 601 can only return to this mode under program control. The limited number of these returns is in the native uncontrolled mode (1) 〇〇 1 line sinks 111〇(^4?]^)[ 1 State. In addition, the safe execution mode 2〇2 in Figure 2 is explained in more detail to illustrate the complex SEM enabled reset mode [1:N] 602, a SEM enabled normal execution mode 6〇3, and A SEM enables a safe execution mode 6〇4. That is, when the secure execution mode 2〇2 is enabled by the execution of the SEMENABLE instruction (or other enabling mechanism), the microprocessor of the present invention is reset (ie, Enable reset [1:N]) CNTR2447/ 0608-A41940TWf/ ΛΛ 200949602 May be executing a non-secure application (enabled in normal execution mode), or may be performing secure coding (enable safe execution mode). Show that the microprocessor of the present invention is manufactured as an initial When booting, it enters the native uncontrolled mode < 601. And as indicated by the state s _, different versions of the security of the microprocessor can be used continuously in the native uncontrolled mode. However, the SEMENABLE command or enable Execution of the alternate mode of the secure execution mode (eg, SEM ENABLE) causes the microprocessor to enter the SEM enable reset mode 6〇2 to force the microprocessor to reset, where the number of times the SEM enable reset mode 602 can be entered is [1: N] times, and the above is the first entry into the SEM enable reset mode 602. In the SEM enable reset mode 602, during the reset sequence, the microprocessor performs a configuration regarding the operation in a secure environment and The honesty check is as described above with respect to Figure 5. According to the successful execution of the reset in the SEM enable reset mode (ie, pass), the microprocessor switches to the SEM enable normal execution mode 603 for non-secure applications. Execution of the program. However, if certain defined states are detected, such as the aforementioned settings by the monitor manager 513 for the signals CLASS3 and DISABLE ® , the microprocessor will transition to the degraded mode 605 (ie due to the setting of CLASS2) 'Or switch to the hardware shutdown mode 606 (ie, due to the setting of DISABLE). Leaving from the hardware shutdown mode 606, the microprocessor can be reset to cause it to return to the SEM enable reset mode 602. From the degraded mode 605 Leaving the 'microprocessor provides limited instructions through the BIOS, allowing the user to establish parameters that enable the microprocessor to enter the SEM enabled safe execution mode 604 under program control. From the SEM enable reset mode 602, The hardware call in the reset sequence will force the microprocessor to directly enter the SEM enable safe execution mode CNTR2447 / 0608-A41940TW^ 45 200949602 604, in which the non-secure code is executed in the safe brewing execution mode 603 During the security execution period during the execution of the SEM-enable normal instruction or during the SEMENTER security coding alternately or the microprocessor is started to execute the full execution mode: the reference to the singularity and the alternate mechanism are referenced. Status = "Call" in the SEMEXIT instruction 600 of the instruction to perform secure coding. Similarly, terminate the secure code execution with the start of the non-secure 7 microprocessor

(RETURN),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, The converter is converted to the degraded mode by SEM Equation 604. The Angkor code in the leg allows the microprocessor to be executed by the descending execution mode 604. The degraded mode 605 is returned to the leg-enabled Safety Magnetic 9 in the SEM-Enable Safe Execution Mode 6.4. Safety φ special mechanical special register to trigger the safety mechanical inspection 603 to perform the processor conversion back to the view to enable the full implementation of the wedge-type full encoding. In addition, if the SEM enables the normal execution of a safety interrupt, micro-processing The state of the device is automatically executed (4). The step of inventing the differential processing in the column 1 to cause the state change described in the state diagram will be explained in detail through Figures 7-11. Figure 7, Flowchart 7A shows a high-order method for safely performing nuclear operations in a microprocessor of the present invention. The flow chart begins with a block in which the microprocessor is in a native uncontrolled mode 6〇1. Execution of the SEMENABLE instruction Or enable The safety execution mode alternates CNTR2447/ 0608-A41940TW^ 46 200949602, for example, writes to a concealed mechanical dedicated register, and transmits a consistent Shanghai parameter, which is enabled by using the asymmetric encryption key. Encrypted according to an asymmetric encryption algorithm - and - the other of the asymmetric encryption keys has been authorized by the programming line (4). The flow proceeds to block 702. In block 702, An encryption unit within the microprocessor,

G This enable parameter is used to retrieve an effective instruction to enable one of the secure execution modes and to retrieve an indicator of the encrypted security code in memory. Another indicator of BI〇s^ two-way secure coding and any encrypted initialization data is also provided. Flow continues to block 703. At block 703, the encrypted security code is retrieved from the memory/BIOS' through the system bus and decrypted. This security compilation and data is then encrypted by using the - processor record and according to the -symmetric gold recording algorithm, wherein the processor is unique to each processor of the present invention' It is programmed to a processor key register at the time of manufacture. This symmetrically encrypted secure code and data is then written to a secure non-volatile memory via a private bus, which is isolated from the system bus resources. Part of the process of writing to secure non-volatile memory involves performing random writes to the memory before writing the symmetrically encoded code and data. Flow continues to block 704. In block 704, the non-volatile enable within the microprocessor indicates that the scratchpad is written to indicate that the secure execution mode is enabled. In one embodiment, the non-volatile enable indication register includes a plurality of bits, and one of the bits is written to indicate a safe handout mode each time the secure execution mode is enabled. Was enabled. The other of these bits is written to indicate a return to CNTR2447/0608-A41940TWfy^200949602 back to native uncontrolled mode. Therefore, according to the present invention, the enablement* temporary storage n allows 128 conversions by the non-secure = non-swing execution mode. Flow continues to block 705. : Security In block 705, a -1 1 micro-processing | §, that is, the method of enabling safe execution mode operation in the transmitter. Yuecheng treatment

The flowchart 8 of Fig. 8 emphasizes a high-order method for operating in the disable mode of the present invention. That is, the process = device described in the secure execution mode of the security code how to command the micro-processing to the native uncontrolled mode. The flow begins at block 8 (H, where it returns to the secure execution mode to execute the security weaving. The flow proceeds to the correction at block 802 + 'safe coding in the safe execution mode to execute the execution mode 6 she is), ie execute Safe execution is not safe, when the security code is executed on a SEM machine (4) when writing, start the real non-safe execution mode of the return - non-safe = mode) 'which leads to a security exception (two _ ° η ). The program control is transferred to the security exception manager in the security code - address where the address is provided by the contents of the aforementioned security interrupt description symbol form. In the -real_, the security exception manager performs a write to the machine-specific scratchpad to indicate acceptance of this return. In case, this mechanical special register is not correctly written, this return is slightly older, and the micro-processing H (four) is riding safely. If the handshake is confirmed, the flow proceeds to block 803. In decision block 〇3, the evaluation of the non-volatile enable indicates the internal disable safe execution mode of the register (supports returning to the non-secure execution mode). If it is not disabled (supports return to non-secure execution mode), the flow proceeds to CN_2/0608-A41940TWf/4g 200949602. In the event that the acknowledgment indicates that the plurality of bits 70 of the register are in the non-secure execution mode phase, the continuation proceeds to block 804. In block 806, the secure execution mode is maintained and control returns to the secure code. , f side, 8 〇 4 'update non-volatile enable indicator register to indicate that the microprocessor is operating in non-secure execution mode. The flow proceeds to block 805. The state of the microprocessor in the square 805 is returned to the native uncontrolled mode, i.e., the method of disabling the safe execution mode operation in the microprocessor of the present invention. Fig. 9 is a flowchart showing the method of performing the internal security coding of the microprocessor of the present invention in detail. That is, the method of stream__f is the seventh diagram: a more detailed description of the flowchart 700. The process begins with the block ❹ 22 (4) 'The microprocessor of Benming is executing a non-secure application in its native uncontrolled mode. The process continues to block.之一In one of the non-secure execution modes, the operating system executes the temporary storage W transmission X, the system _ person to the machine-specific, and the "or the eve parameter", wherein the - or more wire parameters are based on The private money granted is to be asymmetrically crowned. This or more enabling parameters include a pointer to the executed asymmetrically encrypted secure coded target. This material can be stored online (4) and/or BIOS memory. The flow proceeds to block 9〇3. In block 903, the microprocessor decrypts the transmitted one or more enabling parameters using a corresponding authorized public key. In an embodiment CNTR2447/0608-A41940TWi/ Λί\200949602, during the manufacture of the microprocessor, the authorized public key is programmed to a non-volatile authorized public key register. In another alternate embodiment, 'the public key of the authorization is programmed to a location within the secure non-volatile memory of the present invention' and the public key of the authorization is safe from the initial boot of the microprocessor. The volatile memory is retrieved and the authorized public key is programmed to the non-volatile authorized public key register and then cleared at this location in the secure non-volatile memory. Flow continues to block 904.

In block 904, it is determined if the decrypted enable parameter is valid. If it is valid, the flow proceeds to block 905. If it is invalid, the flow proceeds to block 907. In block 905, since it is determined that the enable parameter is valid, then multiple random writes are made to all locations of the secure non-volatile memory to clear the contents of the secure non-volatile memory. The flow continues to block 9-6. In decision block 906, the encrypted secure code is fetched from system memory/and or BIOS memory. Next, the authorized disclosure amount is used and the (4) security code is decrypted according to the asymmetric key algorithm. In one embodiment, a cryptographic unit within the logic circuitry is executed in the microprocessor to decrypt the encrypted secure code. In an embodiment, the encryption unit can perform AES encryption operations, SHA] hash operations, and & rsa encryption operations. The decrypted security code is then decompressed and checked for correct format. If the decrypted security code format is correct, the flow proceeds to = block 9G8. If the decrypted secure encoding format is incorrect, the flow continues to block 907. In block 907, CNTR2447/0608^41940^^ is returned to the non-secure execution mode because the decrypted enable parameter is invalid. In block 908, the 'decrypted security code (and the corresponding initial material 'if any) is borrowed by the processor and added according to the _ gold wheel method, wherein the processor gold input is the microprocessor. Unique to the device and programmed into a non-volatile processor key register at the time of manufacture. In one embodiment, the symmetric key is a 128-bit AES key, and the microprocessor uses its cryptographic unit to perform AES encryption on the secure code. Flow proceeds to block 909. ^ ❹ ❹ In block 909, the microprocessor establishes one or more hashes of a plurality of paragraphs in the encrypted secure code. In one embodiment, the intra-processor = encryption early element is used to establish one or more SHA-1 hashes of the encryption code. 'Charging continues to block 910. ~ In block 910, the microprocessor writes the encrypted secure code (and the data 'if any) and the one or more hashes to the secure non-volatile memory through the private bus, wherein the private bus Isolated from system bus resources. This security code and data are encrypted, thus preventing the detection of the contents of the code. Flow continues to block 911. In step 911, a non-volatile enable indication register is set to indicate that the safe execution mode is enabled. Flow continues to block 912. In block 912, a secure execution mode enable reset sequence is performed within the microprocessor. This reset sequence includes a hardware check (as in the related figure in Figure 5) and a method of initializing the security volatilization into a complex number, i.e., performing the initialization of the secure code in the microprocessor of the present invention. Referring next to Fig. 10, a flowchart 1000 shows a method for enabling a reset operation in a row safe execution mode in the microprocessor CNTR2447/0608-A41940TWf/51 200949602 of the present invention. Thereafter, the microprocessor has committed a full execution. Mode operation. The process begins at block 1001 >, when the microprocessor element is initialized to the secure execution mode, the microprocessor executes the security (four) button reset sequence. Process _ 1002 〇

In block 1002, the microprocessor performs a multi-processor honesty check, including the extraction and validation of secure non-volatile memory, batteries, and quartz. In addition, the nuclear dragon secret clock is in the money (four) solid, and confirms the appropriate t voltage provided to the bus terminal and the microprocessor to supply power. The temperature of the microprocessor is confirmed to be - acceptable __. Flow continues to block. In block 1003, the microprocessor performs a non-volatile memory link (nectivity) and a hash check. Read the security signature from a location in the secure non-volatile memory and decrypt the security signature. The decrypted signature was checked to verify that the non-volatile memory was not leaked. In addition, the microprocessor reads the specific location of the secure non-volatile clock and the corresponding hash. The cryptographic hash of the selected location is generated by the encrypted (i.e., HASH/RSA) unit and compared to the hash being read. Flow continues to block 1004. A confirmation of the secure real-time clock is performed on the processor. In the implementation of the 'h execution mode real-time clock estimation state' then speculates that the change in frequency is greater than five percent, so the 状 矣 与 与 与 与 与 与 大于 大于 大于 大于 大于 大于 大于 大于 大于 大于The warning signs of China’s Zambia’s security threats. If the above-mentioned confirmation check is produced, the result is based on the severity and frequency of the detected event, and the safety is enforced _ "Lee, CNTR2447/0608-A41940TWf^ 4 fruit type to 200949602 into 1005 ° can be reset The sequence will cause this event to be logged, or force the microprocessor into a degraded mode, or a hardware shutdown mode. The flow proceeds to block "from non-volatile memory (system memory and/or BIOS memory)" in block 1005. The encrypted secure code and data are taken. The flow proceeds to block 1006. In block 1006, the secure coded code is decoded and decompressed, and the secure code is then loaded into the microprocessor for security. Volatile memory. The flow proceeds to block 1〇〇7.

In block 1007, the security resources within the microprocessor are initialized. These security resources are not known or accessed by non-secure coding and are only available for secure coding performed in secure execution mode. These resources include security timers, security interrupts, and security exceptions, and include a secure interrupt description symbol form, as well as any security machine-specific scratchpads or other scratchpads that must be initialized for the execution of secure encoding. Initialization includes non-secure interrupts, non-female exceptions, non-secure traces, and disables for debug logic circuits, as well as disables of any power management logic circuitry of the microprocessor, including core voltage and core clock frequency. Any element that changes or enables or disables other components (such as cache memory, branch prediction unit, etc.). The flow proceeds to block 1-8. In block 1008, the non-secure cache memory (i.e., L1 cache memory, L2 cache memory) within the microprocessor is initialized to a random number. The flow proceeds to block 1〇〇9. In block 1009, a secure execution mode interrupt is generated and the secure execution mode reset function is invoked based on the data present in the secure interrupt description symbol form, wherein the secure interrupt description symbol is in the box CNTR2447 / 0608 -A41940丁\\^ „ 200949602 1007 is initialized, that is, the method of enabling the reset operation when the micro-processing of the present invention is completed. Wen Wang Execution ❹ e Next, refer to FIG. 11 , and flowchart 11 〇〇 indicates termination of security in the present invention The method of performing the mode operation. In this case, the security code is being executed in the domain of the domain. According to the invention, there are three ways to convert the microprocessor from non-safe to secure. The execution of the secure code 1 = method allows the program control to be transferred to the execution of the secure code. That is, the non-secure application in the install mode is executed as the SEMENTER instruction 2. In the embodiment - the SEMENTER command causes the microprocessor 2; ^ is stored in a stack of secure volatile memory, and the program control is transferred to = full encoding, very similar to the operation of the x86SYSENTER instruction. The method is that when a non-secure or secure reset sequence is executed, the execution of the security code is due to an interruption or exception. The last method that leads to the execution of the secure code is due to any number of security monitoring. The interruption of the logic element is as discussed with respect to Figure 5. As described above, the secure encoding performed in the secure execution mode is permanently present in the secure non-volatile memory, but during a secure execution mode enabling the reset sequence , it has been loaded into the safe volatilization memory. That is, this security code is no longer executed from non-secure memory, such as system memory or non-secure processor cache memory. Therefore, by two methods The execution control is converted back to the non-secure execution mode by the secure execution mode. The first method includes executing a SRESUME instruction that causes a return from the SEMENTER instruction. In the x86 embodiment, the .SRESUME instruction is similar to x86 RESUME. Method to operate. That is, pre-stored in safe volatilization CNTR2447/ 0608-A41940TW 54 200949602 ❹

= The memory state in the memory is restored (4) G1 > ed), and the program control is transferred to = for system or non-secure coding. The second method is to consider forcing a security instance 'where' by accessing a machine-specific temporary record holder that can only be accessed by secure code, and the security of the microprocessor can access this security exception. If the decision is made to the non-safety (4), then the non-safe mechanical inspection exception is processed by the operating system η, therefore: the return of the non-safe execution mode. The flowchart of Fig. u is to propose a strong 2 security exception to return to the non-secure execution mode, and in this technical field = there is a general knowledge understanding, the execution of the SRESUME instruction causes the micro-processing to steal the similar steps described below. Therefore, the flow continues at block 1102, in which security is programmed into the secure execution mode mechanical dedicated register (seMmsr> semmsr, which is only accessible and securely executed under the security code (4). In the plurality of machine-specific registers, the flow proceeds to block 1103. In block 11〇3, the write to the safe execution mode mechanical dedicated register is generated by the security exception logic in the SEM logic circuit. The security exception. The flow proceeds to block in block 1104 where the security exception logic (e.g., the security interrupt descriptor = symbol form) causes the program control branch to the security exception handler within the security code. Flow continues to block 11〇5. In block 1105, 'Security Exception Manager Response—Authorized Exception Code. This security exception manager performs a return to the secure code, and Say's sends an exception code of one = back to the security code. The flow continues to the block CNTR2447/ 0608~ A4l940TWf/ 55 200949602 In block 1106, it is determined whether the exception code responded by the security exception manager is correct. If the exception is incorrectly programmed, then assume a security risk' and the process proceeds to block 1112. If the exception is coded correctly, the handshake between the security code and the security exception manager is confirmed to indicate a return to non-secure execution. The mode continues and the flow proceeds to block 11-7. In block 1112, the secure execution mode is maintained and control returns to the secure code.

❹ In block 1107, the microprocessor performs a plurality of random writes to all locations of the secure non-volatile memory to clear the contents of the secure non-volatile memory. The secure application utilizes a random number generator in the microprocessor to generate random data and perform random writes to all locations in the secure non-volatile memory. Flow continues to block 1108. In block 1108, the microprocessor clears each location of the secure non-volatile memory by writing to each location of the secure non-volatile memory. Flow continues to block 1109. In block 1109, the non-volatile enable indication register is set to indicate that the secure execution mode is disabled, i.e., the microprocessor is operating in a non-secure execution mode. It is limited by the number of times the safe execution mode can be disabled, as explained above with respect to Figure 8. The process continues to block ul〇. In block 111G, the security exception logic generates a mechanical check exception and, in addition, responds to a state parameter (i.e., the exception code indicates a state) to transfer the program control to one of the non-secure applications. Therefore, the operating system in the safe execution mode handles this mechanical check exception and returns to the non-secure execution mode. Flow continues to block 11U. In block 1111, the method of terminating the operation of the CNTR2447/〇608-A41940TWf/56 200949602 line mode is terminated in the microprocessor of the present invention. Figure 12 is a detailed block diagram of a secure real-time clock, located in the 8-run logic circuit of the microprocessor + of the present invention. #all

f 12; 〇 can only be obtained by secure coding in the safe execution mode: Know and access. The safe real-time clock includes an oscillator that consumes the battery through the "vp" and reduces the stone through the signals C1 and C2. The oscillator generates an oscillating output voltage signal vo, and the signal v〇_count number 1202. This counter produces the output money CNT 〇, and the output signal (3) is routed to the conversion logic circuit lake. The signals vp, ci, and ^ are also input to the conversion logic circuit 12〇3, and the signal pulse is also input to the conversion logic circuit, where the 'signal ENV carries the corresponding The value of the grain temperature. The conversion logic circuit generates the (4) complex material through the signals TEMp, BATT, c〇Mp, XTAL and the bidirectional sink _ TIME. The microprocessor provides the input to the secure real-time clock through the bidirectional bus bar T臓. The oscillator eraser and counter 12〇2 are dedicated, that is, they cannot share other circuitry or micros other than the components that are provided to allow the micro-processing material to read and write to the secure real-time clock at the TIME. Handling other components of the crucible. In addition, the safe real-time clock continues its count when the battery provides an acceptable voltage through the signal vp. In an alternate embodiment, the The voltage signal Vp m is generated by a capacitor on the board to replace the battery that is continuously charged as long as the system board is turned on. In the operation, the oscillator 1201 generates a shock plate output voltage signal v〇, which is proportional to the frequency of the quartz device. 'And this oscillating output voltage is supplied to the counter 1202. The counter 1202 includes a plurality of components for calculating the number of cycles provided by the transmitted signal VO and converting this number into a -counting value. CNTR2447/ 0608-A41940TWf7 _ 200949602 The count value is provided to signal CNTO. Conversion logic circuit 1203 includes a complex circuit that converts the value of CNTO to a duration value. 'Additional' conversion logic circuit 1203 also includes a complex register (not shown). The bus TIME is read and written by the microprocessor. In addition, the conversion logic circuit 1203 is used to detect a significant change of the voltage signal VP, indicating potential tampering, and the event is represented by the setting of the signal BATT. Wherein, the setting of the signal BATT is used to interrupt the secure coding of the execution. In an embodiment, a variation greater than five percent causes the BATT interrupt to be The conversion logic circuit 1203 is also used to detect significant changes in the frequency of the quartz through the signals C1 and C2, thus indicating potential tampering, which is represented by the setting of the signal XTAL. The setting of the signal XTAL is used The safety code being executed is interrupted. In one embodiment, a change greater than five percent causes the XTAL interrupt to be set. The signal ENV is estimated by the conversion logic circuit 1203 to determine that the counter 1202 is inaccurate due to temperature deviations. Counting. If the temperature deviation is judged, the signal TEMP is set, which is used to interrupt the safety code being executed. Switching logic circuit 1203 is also used to estimate whether any of the above conditions are sufficiently significant to indicate that the secure real time clock has been leaked, such as battery movement and replacement. If it is judged that the signal COMP is also set, the execution of the secure code is interrupted. The present invention provides some advantages over current technology to execute applications in a secure environment. For example, the design in accordance with the present invention is based on a microprocessor. That is, one of the objects of the present invention is to modify the micro-injection CNTR2447/0608-A41940TWf/58 200949602=, which is responsible for the secure coding, which is (10), and hides the secret m from his eight-technical technology, and only the microprocessor can provide timely execution. Safety. There are many time-safe isolation methods for silk wafers to monitor microprocessor H. Performance is also significantly reduced for safety-related implementations. And in accordance with the X86-based embodiment of the present invention, the development of secure coding is relatively straightforward due to the ubiquity of the χ86 technology. Χ86 has been known, and for any course that is proficient in the development of non-secure χ86 applications, έ 'Additional and special instructions for machine-specific instructions, such as SEMENABLE, SEMENTER, and SRESUME instructions. Learning challenges. In addition, the cost of additional security execution capabilities for microprocessors is much less than the cost of adding additional chipsets to the system design. In addition, since the secure execution environment is provided within the microprocessor itself, it inherently opposes those physical or slave channel attacks, which do not require additional external circuitry. The techniques disclosed herein are highly advantageous in providing a secure microprocessor operating environment in which a general secret that would be compromised (e.g., a general start, key, or program architecture) is not stored. That is, each processor of the present invention has only secrets that need to be authorized, controlled, etc. by a particular processor or system. The secret from one processor/system does not compromise the security of the other processor/system. In addition, 'knowing how to compromise the security of a processor' should not make it easier to compromise the security on other processors. That is, this is due to the unique processor key that is provided by the data transfer on the A. Fully non-volatile memory bus and which results in the use of these data transmission systems. Key to encrypt. CNTR2447/0608-A41940TWf/ <〇 200949602 The microprocessor according to the present invention has more advantages than the known technique of providing H against the denial_〇f_service attack. For example, as discussed in Figure 5, providing security monitoring components detects and captures activity on events, such as ongoing calls to the secure execution environment (eg, from a malicious device driver), real-time clock battery, and continuous movement of the quartz. Besides and so on. Although the present invention has been disclosed above in the preferred embodiments, it is not intended to be limiting.

The invention is not limited to the spirit and scope of the invention, and may be modified and retouched. The scope is defined. BRIEF DESCRIPTION OF THE DRAWINGS Fig. 1 is a block diagram showing a safe execution mode (SEM) microprocessor according to the present invention; Fig. 2 is a view showing a state of the highest class operation mode in the microprocessor of Fig. 3; Figure 4 is a block diagram showing the SEM logic circuit in a microprocessor according to the present invention; Figure 4 is a block diagram showing how secure coding is stored, accessed, initialized, and executed in a microprocessor in accordance with the present invention; A detailed block diagram of the SEM monitoring logic circuit in the microprocessor of FIG. 1; FIG. 6 is a state diagram showing the operation mode transition in the microprocessor according to the present invention; and FIG. 7 shows the micro processing in the present invention. High-order method flow chart for enabling safe execution mode CNTR2447/ 0608-A41940TWf/ 60 200949602; Figure 8 is a flow chart showing a high-order method for disabling safe execution mode operation in the microprocessor of the present invention; A flowchart of a method for initializing a secure code execution in a microprocessor of the present invention; FIG. 10 is a view showing a safe execution mode in a microprocessor of the present invention A flowchart of a method capable of resetting operation; FIG. 11 is a flowchart showing a method of terminating a secure execution mode operation in the microprocessor of the present invention; and FIG. 12 is a diagram showing a detailed description of a secure real-time clock in the microprocessor of the present invention; Block diagram. [Main component symbol description] 100~ system board; 101~ secure execution mode microprocessor; 102~ system bus; 103~ bus master; 104~ bus management; 105~ safe execution mode logic; 106~private bus; 107~ secure non-volatile memory;

Cl, C2 ~ connection path / signal; PSNT ~ memory detection bus / signal; VP ~ battery; VP1, VP2 ~ connection path / signal; XI ~ quartz; 200 ~ state diagram; 201 ~ non-secure execution mode (native Controlled mode); 202~secure execution mode (SEM-enable mode); 203~degraded mode; 204~hardware shutdown mode; CNTR2447/ 0608-A41940TWf7 61 200949602 300~safe execution mode microprocessor; 301~SEM logic Circuit; 302~ safe volatile memory; 303~ processor state; 304~ secure code; 305~SEM initialization logic circuit; 306~SEM monitor logic circuit; 307~SEM interrupt logic circuit; 308~SEM exception logic circuit; SEM timer; 310~SEM real time clock; ® 311~AES/HASH/RSA unit; 312~ processor key register; 313~ processor execution unit; 314~normal exception logic circuit; 315~normal tracking/dividing Error logic circuit; 316~ normal interrupt logic circuit; 317~ corresponding security code security data; 318~ authorized public key register; 319~ random number generator; ® 320, 321 324, 326, 327 ~ bus; 322 ~ power management logic; 323 ~ address logic; 325 ~ non-secure memory; 328 ~ non-volatile enable indicator register; 329 ~ SEM mechanical dedicated register memory Library; 400~illustration; 401~microprocessor; 402~secure coding interface logic circuit; 403~bus interface interface unit; 404~authorized public key register; CNTR2447/ 0608-A41940TWf/ 62 200949602 405~AES /HASH/RSA unit; 406~secure volatile memory; 407~secure non-volatile memory interface unit; 408~SEM monitoring logic circuit; 409~SEM initialization logic circuit; 410~BIOS memory; 4U,421~ security 4 !2~ random number generator; 413~ processor gold (four) memory · 420 ~ system memory; 425 ~ system bus; , ❹ 430 ~ secure non-volatile memory; 43 b private bus; 432 ~ authorized public Golden wheel CHK, INS ~ bus; 500 ~ SEM monitoring logic; 501 ~ physical environment monitor; 502 ~ bus timing monitor; 503 ~ frequency reference unit; 5 〇 4 ~ processor voltage monitor; 505 ~ temperature Fast, 506~ data monitor · 507 ~ secure time stamp counter; 508 ~ normal time stamp counter; 509 ~ ratio mechanical special register; 510 ~ style monitor; 511 ~ instruction monitor; 512 ~ instruction array; ~ Monitor Manager; BUSTERM, BUS CLK, CORE CLK, TEMP, VDD, CLASS1, CLASS2, CLASS3, DISABLE~ signal; DESTRUCT, INS, NOBOOT, PINCHK, TAMPER, CHK~ bus; CNTR2447/ 0608-A41940TWf^ 63 200949602 600 ~ detailed operation mode icon; 601 ~ native uncontrolled mode (non-secure execution mode); 602 ~ SEM enable reset mode [1: N]; 603 ~ SEM enable normal execution mode; 604 ~ SEM enable Safe execution mode; ❹ 605~degraded mode 700~flowchart 800~flowchart 900~flowchart 1000~flowchart 1100~flowchart 606~hardware shutdown mode; 701.. .705~flow step 801.. .806~ Process steps 901..912~ process steps 1001..1009~flow steps; 1101...1112~flow steps; 1200~secure real time clock; 1201~oscillator; 1202~counter; 1203~transition logic circuit; VP, ENV~ signal; VO, CNTO~ output signal; CNTO~ output signal; TEMP TEMP, BATT, COMP, XTAL~ signal; TIME~ bidirectional bus. CNTR2447/ 0608-A41940TWfi^

Claims (1)

200949602 VII. The scope of application for patents·· 1.------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The 箄 type is only accessed in the microprocessor and is accessed from the system memory. The ^^^ program is transmitted through the system. A non-volatile enable indicates the temporary storage: ❹ Is it in the safe execution mode or L? It does not show the microprocessor Yin, in the microprocessor's power master mode, it is not expected to indicate the temporary storage of the memory and the heavy weight of the application period, the factory safe non-volatile memory Body, through a private work flow: and the device, used to store the security application, wherein = the micro-location of the microprocessor and the safe non-volatile memory ==, flow output 'isolation In the system bus and the microprocessor: = traditional bus resources. The plural financial system 2. If the safe execution environment is provided as described in item 1 of the patent application scope, the security execution module in the processor is entered into the safe execution mode and the non-volatile Enabled to indicate that the first write is performed to indicate that the microprocessor is in the safe execution mode w. 3. The apparatus for providing a secure execution environment, as claimed in the second application, wherein the secure execution mode logic circuit The non-volatile enable indication register is written a second time according to exiting the secure execution mode, indicating that the microprocessor is in the non-secure execution mode. 4. The apparatus for providing a test execution environment as described in claim 1 of the patent application 'where' the non-volatile enable indicator register includes a CNT2447/0608-A41940TWf/65 200949602 wafer ___ w wire disposed at the micro point 'And the microprocessor includes one of the integrated circuits on one single. The device, which is called the safe execution ring filling described in the fourth paragraph of the patent scope, can be switched from the safe execution mode to the #6, such as the number of specific fuses corresponding to the number of fuses. The device, wherein the method of providing a safe execution of the loop described in item 1 of the method, the micro-processing, the non-volatile enable indicating that the register is written to refer to the "safe execution mode" = "safe execution mode" The f column inside the microprocessor. The circuit indicates that the microprocessor is to be executed - the re-sequencing device 7, which is specifically designed to provide a safe execution environment, and one of the security execution mode logics in the security system The circuit estimates the non-volatile non-existing execution mode to evaluate the non-secure execution mode. Branch: When determining whether to support the return mode, the security execution is maintained. Support is returned to the non-secure license. Device for full encoding, the microprocessor device includes: - a binding environment and a secure non-volatile memory for storing a secure application, - a microprocessor - through a private sink The decoupling is used to execute a plurality of non-secure applications::: wherein the security application is only in one amp = private mode, and the microprocessor includes: , executing in the formula and the ship-1 channel device unit is implemented in - System _ _ 200949602 multiple system bus data transmission, these non-secure applications; ϋ 确 确 (10)! All non-volatile memory interface unit, through a private η: This: processing _ to The security Non-volatile memory, used to access the safe non-volatile memory data stream is hidden to avoid being ridiculed, =:::Μ:: resources and a bus: volatilization = temporary / The microprocessor device of claim 8, wherein one of the microprocessors performs a safe execution of the π, full execution mode and sends the non-swing: = the microprocessor is in the safe execution mode微 The microprocessor 2 described in item 9 of the patent scope ===; the security-microprocessor is in the non-secure execution mode=one-two-person write to indicate that the middle two::=: range is temporarily V item The microprocessor device has a plurality of dissolved wires, and the micro=two=3 is integrated in the microprocessor. The thief includes the configuration on the - single-die - single 12. If Shen Qing patent scope item u is CNTR2447/0608-A41940TWf7, in the case of 200949602, the microprocessor can be switched from the safe execution mode to The number of non-safe execution modes corresponds to the number of specific fuses of the fuse. 13. The microprocessor device of claim 8, wherein the non-volatile enable indicating register is written to indicate that the microprocessor is in the safe execution mode, within the microprocessor A secure execution mode logic circuit instructs the microprocessor to perform a reset sequence. 14. The microprocessor device of claim 8, wherein one of the safe execution mode logic circuits in the microprocessor evaluates the non-return according to a requirement to return to the non-secure execution mode by the safe execution mode. The volatilization enable indicates the contents of the register to determine whether support is returned to the non-secure execution mode, and if no support is returned to the non-secure execution mode, the safe execution mode is maintained. 15. A method of performing secure encoding in a secure execution environment, comprising: providing a secure non-volatile memory to store a secure code; and encoding the secure code by transmitting a plurality of private data over a private bus Stored in the secure non-volatile memory, wherein the private sink stream is coupled to the secure non-volatile memory; initialize a safe execution mode in a microprocessor to perform the secure encoding; The enabled state is recorded in a non-volatile enable indicating register; and the secure code is obtained from the secure non-volatile memory through the private bus for execution by the microprocessor; wherein the private bus All system bus resources are isolated from the microprocessor and are disposed outside the microprocessor, and the private bus CNTR2447/0608-A41940TWf/68 200949602 is only obtained by one of the microprocessors safely executing the logic circuit Know access. 16. The method of claim 15, wherein the step of executing the secure execution mode in the secure execution environment is recorded in the step of recording the state of the safe execution mode in the non-volatile enablement register. : Performing a first write to the non-volatile enable indicating register in accordance with entering the secure execution mode to indicate that the microprocessor is in the safe execution mode. A method of performing security coding in a secure execution environment as described in claim 16 of the patent application, wherein the step of recording the state in which the secure execution mode is enabled in the non-volatile enable indication register comprises: The non-volatile enable indication of the temporary benefit is performed by exiting the secure execution mode to indicate the microprocessor mode.卜文王m 18. A method of performing a security coding in the application of a subparagraph (4), wherein the non-volatile energy indicates a plurality of fuses in the middle of the device, and the microprocessor = is placed in a single crystal grain On the -[(4).祜 19. If you apply for the stipulation of the 18th item, the method of implementing the security code 'where' the microprocessor can be: = the non-safe execution mode: the number of the owed is 20. The application is as stated in item 15 of the patent application. In a secure implementation, a fully-edited method, where 'in the non-volatile enabler = register to write a person to indicate that the microprocessor is in the safe execution mode of the microprocessor, _ ' The CNTR2447/0608-A41940TW^, -·f path instructs the microprocessor to perform a reset sequence to 200949602. 21. The method of performing secure coding in a secure execution environment as recited in claim 15, wherein one of the secure execution mode logic circuits in the microprocessor returns to the non-secure execution mode according to the safe execution mode. A request is made to evaluate the contents of the non-volatile enablement register to determine whether support is returned to the non-secure execution mode, and if no support is returned to the non-secure execution mode, the secure execution mode is maintained. CNTR2447/ 0608-A41940TW Points 70